iClicker Hacking – Part 1

Before I start, I’d like to note that this is my first reverse engineering project.

So the story here starts with me taking a class that required me to purchase one of these iClicker’s ( http://www.iclicker.com/Products/iclicker/ ), otherwise I wouldn’t get “participation” points in class :/ So I purchased one and booted it up during lecture to “participate”. It was neat to see some tech in the classroom, but the material wasn’t any more interesting, so I decided to tear this thing apart… I busted out my utilikey and tore it apart mid-lecture.

At this point the professor noticed all the students were “participating” except me. She then walked up to my desk and noticed the iClicker completely torn apart and asked “What are you doing?” to which I responded “Opening this thing up..” and she responded with “This is not apart of the lecture, you shouldn’t be doing this in class. This is very important you should be paying attention.” I figured it’s time to protect my grades so I said I would clean it up right away, and did so.. (unhappily)

I later got to my setup at Nullspace Labs ( http://032.la/ ) and soldered on a 6pin header for the ICSP line. Then connected my AVR Dragon and attempted to dump the firmware and EEPROM from the ATMega8A with an external power supply connected to the power leads for the battery. As soon as I attempted the read, the iClicker reset itself. So I figured the power management must be doing some funky things, so lets by pass all that and go directly to the ATMega8A’s VCC and GND line. I soldered on some kynar wire to pin 4 (vcc) and pin 5 (gnd) and attempted the read again..

Success!! The security bit was never set! So now that I could communicate with the chip, I decided dumped the firmware and EEPROM. (Reversing in IDA to come in Part 2)

At this point I realized the hardware ID must be in the EEPROM, so I went exploring looking for “3300B586” which is the hardware ID written on the back of the device:

I noticed at line 0 column A the sequence “3300B5”, huzah! At this point I could just modify this and change the hardware ID of the iClicker!

Next I decided to listen to the communication between the ATMega8A and XE1203F by sniffing the SPI bus, following the datasheets I soldered up some wire to the SPI lines. Once the wiring was done I used my handy AnnaLogic to sniff the SPI bus.

Once I powered up the iClicker (note: it’s not connected to an instructor machine) I began the sniffing and pressed the following sequence of buttons: A B C D E . I noticed that there was only data on the Slave Input lines, which makes sense since there is no instructor machine to send data back. Between each button I pressed only one byte was changed, and it doesn’t seem to be as intuitive as ‘A’, ‘B’, ‘C’,’D’,’E’. Instead A = 177 (0xB1) , B = 181 (0xB5), C = 189 (0xBD), D = 190 (0xBE), E = 186 (0xBA).

Next I need to capture some traffic between my iClicker and the instructor machine to see a full cycle of registering the iClicker to the instructor machine, voting and receiving confirmation that the vote went through.. I’ll leave that for Part 2.

Please note that I will NOT be doing this packet capture in the classroom (it’s no place for learning anyway), I’ve decided to purchase an instructor base station to prevent any issues with my school. Plus it gives me control to test and try out things I normally wouldn’t be able to do.

For the mean time I need the clicker for lectures so I’ve poked a hole into it.. totally looks normal

Next up.. reverse engineering the firmware in IDA, stay tuned for Part 2:

So far the only defeat has been spoofing other iClicker hardware ID’s by reprogramming the EEPROM (thankfully iClicker never set any security bits ) It’s not much yet, but next up is to reverse the firmware and figuring out how the packets are sent, handled and then to create a new firmware with some extra features. A few new features I’ve thought of are listening in to other iClickers, submitting and spoofing as other iClickers, and making a general purpose ISM band radio.

21 comments

[…] [Arko] was compelled to purchase an iclicker to use in some of his college courses. It’s similar in size to a television remote control except it only has six buttons and it communicates via radio frequency instead of infrared light. The idea is that classrooms have a base station that the instructor uses, and he or she can ask questions of the class and have instant feedback. Results are often projected on a screen for all to see but only the instructor can get at the breakdown of who answered in what way. In [Arko's] case, the class awards participation points that you can only get by using this device. He decided to actually learn something from the expenditure by reverse engineering the device. […]

[…] [Arko] was compelled to purchase an iclicker to use in some of his college courses. It’s similar in size to a television remote control except it only has six buttons and it communicates via radio frequency instead of infrared light. The idea is that classrooms have a base station that the instructor uses, and he or she can ask questions of the class and have instant feedback. Results are often projected on a screen for all to see but only the instructor can get at the breakdown of who answered in what way. In [Arko's] case, the class awards participation points that you can only get by using this device. He decided to actually learn something from the expenditure by reverse engineering the device. […]

If you have a buspirate you could just link onto the SPI lines during class and dump the whole session transparently while “participating” normally. If you have an n900 you can even do it without anything but a random cable going from pocket (containing n900+buspirate) to clicker. I’m sure it can be done with other phones/tablets as well.

Also, I noticed there is encryption on the iClicker so that without the key entered into the base station, the base can’t understand the clicker. But there is a mode that, when sent from the base station, puts the iClicker into non-encryption mode and sends its ID over the wire (for iClickers whose label has been worn away). You can send that command from any iClicker (since they put a transceiver, not a transmitter only) and get IDs for every iClicker in the room. Then spoof everyone in the class whenever you want. Since only the last-entered value is stored so you can overwrite everyone if you attach a faster processor with the new firmware to the transceiver (or multiple) and send all the results at the last second.

Diabolical! I will look into this, thanks for the tip! I figured that is the only way to spoof everyone else. I however will NOT be doing this in my class, but just for demo at home. I need to get a hold of one of these base stations.

I wrote a simple iclicker sniffer for the Girltech IM-Me a while back. It was based entirely on over the air observations (as was gr-clicker). Email me if you want the source. The one big thing I never did was figure out how the ID is encoded, though you don’t need to know that to spoof another device once you have recorded a transmission from that device. Still, you should be able to figure out the encoding from reversing the firmware.

Awesome! I’m glad the button codes agree. I can’t wait to reverse the firmware to figure out that ID encoding. I think I’ll take you up on the offer for code and shoot you an email. Also, I think we met at Toorcon this year..